External risk intelligence

Doctor WordPress Plugin Flaw Lets Users Become Admins

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-6254

The Doctreat Core WordPress plugin has a critical vulnerability allowing unauthenticated users to gain administrator privileges by exploiting its registration function, potentially leading to full site compromise. This issue is reachable from the internet, making it a significant concern for sites using the plugin.

5Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2025-6254

This vulnerability affects a WordPress plugin registration function. WordPress registration pages are public-facing by design, making this endpoint directly reachable from the internet for any unauthenticated visitor.

PCI scan relevance

PCI Relevance for CVE-2025-6254

Yes

CVE-2025-6254 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This WordPress plugin vulnerability allows unauthenticated attackers to register as an administrator, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Doctreat Core plugin for WordPress, potentially allowing unauthenticated individuals to register as administrators. This flaw in the plugin's registration process means that any visitor could gain administrative access to a WordPress site using this plugin. The main concern is confirming if this plugin is in use and if so, assessing the exposure.

Unauthenticated users can gain admin access.
Critical flaw in public-facing registration process.
Confirm if plugin is deployed and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by leveraging the Doctreat Core plugin's registration process. Since the vulnerable function, `doctreat_process_registration()`, does not properly validate user roles, an unauthenticated attacker can manipulate the registration to gain administrator privileges. This elevated access could then be used to compromise the entire WordPress site.

Unauthenticated attackers can access registration.
A registration function improperly allows admin roles.
Leads to full site compromise via privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Doctreat Core WordPress plugin could allow unauthenticated attackers to register as administrators. When supported by the advisory, this could expose sensitive site data and allow unauthorized control over the WordPress site's functionality and content.

WordPress administrator access.
Unauthenticated users can register.
Full site compromise is possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

For this WordPress plugin vulnerability, the application owner is responsible for remediation, and they should coordinate with the website's infrastructure or platform team. The first step is to identify all instances of the Doctreat Core plugin across the WordPress sites, confirm their current versions, and assess their exposure to unauthenticated access. Once identified, a risk-based remediation plan should be developed, prioritizing critical or exposed instances.

Application owners must address this issue.
Verify plugin installation and versions.
Plan remediation based on exposure.

Frequently asked questions

What is the Doctreat Core plugin?

Doctreat Core is a component for WordPress often bundled with directory themes, such as the Doctreat Doctors Directory theme. It provides backend functionality specifically designed to manage medical professional listings, provider profiles, and user registration flows within a WordPress-based directory site.

How does CVE-2025-6254 allow privilege escalation?

This vulnerability is classified as Improper Privilege Management (CWE-269). It occurs because the plugin's registration function fails to verify or restrict the account roles requested during signup. Consequently, the system accepts a request to create a new user account with administrator privileges, granting unauthorized full control over the WordPress site to an unauthenticated party.

Do I need to be logged in to trigger this bug?

No. The flaw exists within the public registration process, meaning no prior authentication or existing account is required to exploit it. However, if your WordPress installation has user registration features completely disabled or has restricted access to registration pages through other means, the specific vulnerable function path remains unreachable.

Is my site at risk if it uses Doctreat Core?

Yes, if the plugin is active, your site is likely at risk. Halo Surface Signal identifies this as a high-priority concern because the registration endpoint in WordPress is typically exposed to the internet by design to allow new users to sign up, meaning the vulnerable function is reachable by anyone with web access.

When should I take action for this vulnerability?

You should act immediately. Begin by auditing your WordPress environment to locate all installations of the Doctreat Core plugin and verify their version numbers. If you are running version 1.6.8 or older, you are affected. Coordinate with your team to apply vendor-provided updates or disable the registration functionality until you can secure the plugin.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.